Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Sunday, January 09, 2011

Thoughts on the DOJ wikileaks/twitter court order

The world's media has jumped on the news that the US Department of Justice has sought, and obtained a court order seeking to compel Twitter to reveal account information associated with several of its users who are associated with Wikileaks.

Communications privacy law is exceedingly complex, and unfortunately, none of the legal experts who actually specialize in this area (people like Orin Kerr, Paul Ohm, Jennifer Granick and Kevin Bankston) have yet to chime in with their thoughts. As such, many commentators and journalists are completely botching their analysis of this interesting event. While I'm not a lawyer, the topic of government requests to Internet companies is the focus of my dissertation, so I'm going to try to provide a bit of useful analysis. However, as always, I'm not a lawyer, so take this with a grain of salt.

A quick introduction to the law

On December 14, An Attorney in the US the Department of Justice obtained a court order compelling Twitter to reveal records associated with several of its users. The order, issued under 18 USC 2703(d) is not a subpoena (even though the AP, New York Times, Salon and many other outlets have reported that it is). Subpoenas are essentially letters written by law enforcement officers, on official agency letterhead, and have not been reviewed or signed by a judge. The 2703(d) order in question was issued by a magistrate judge.

Per the statute, a judge isn't supposed to issue a 2703(d) order unless the government "offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation". We don't know what these facts are though -- as it doesn't look as though the government's original request to the court has been made public. (It isn't clear if those records themselves remain sealed. I tried to find the case in PACER, and couldn't locate it, so this will have to wait until Monday, when someone can call up the Clerk's office to ask for the documents).

"d" orders can be used to obtain customer records (name, address, credit card info, IP addresses used to connect to the service), non-content data associated with individual communications (to/from and timestamps from emails, etc). They can also be used to obtain any saved, outbound communications (such as the "sent" mail folder), all communications that are more than 180 days old, as well as those that have been opened and viewed at least once (except in the 9th circuit). If the government wants access to unread messages that are 180 days old or newer, it must seek a rule 41 court order, which requires a showing of probable cause.

The order to twitter

The government's wikileaks "d" order, as the statute permits, requests the customer subscriber info associated with the account (essentially copying this language in full from the statute).

It is the second part of the order that is more interesting. Again, as the statute allows, the government is requesting non-content information associated with individual communications. What the government appears to be seeking in part 2 is the metadata associated with every Twitter communication to and from the users named in the order. What this means is up to debate. It could mean the name and timestamp of every user who has sent or received a private message to one of the named individuals. It might also mean the list of individuals who have publicly communicated, or mentioned the named individual, or who have been named in a tweet by those persons. It might even include a list of followers, although this information is public already, so it is unclear why the government would seek it through a court order.

The statute (and caselaw) permits the government to use a "d" order to get access to communications older than 180 days, those that have been read at least once (outside the 9th circuit), and saved outgoing messages. What isn't so clear to me though, is if the government has requested this information from Twitter or not when it asks for "correspondence and notes of records related to the accounts".

My initial impression is that this is not a request for communications content, but communications between the user and twitter itself (for example, customer service inquiries). However, I'm not really sure about this though... so I'll wait for the real experts to weigh in on this bit.

Reading between the lines

With that discussion of the law out of the way, lets get to the fun part: Speculation. Based on this order, and the events that followed, there are some interesting observations to be made.

1. Amateur Hour. The 2703(d) order misspelled the names of one of the targets, Rop Gonggrijp. It also requested credit card and bank account numbers of several Twitter users, even though Twitter is a free service and so doesn't have such information (presumably someone at DOJ knows a little about Twitter, since the agency has 350,000 followers of its official Twitter account).

The Department of Justice prosecutor named in the order, Tracy Doherty-McCormick, was prosecuting online child exploitation cases just five months before the Twitter order was issued. Given that the wikileaks investigation is the most high-profile national security investigation of the decade, and that the court order seeks records associated with an Icelandic member of parliament, you would think that DOJ would assign this case to someone more senior.

From my own experience, outside of the Computer Crime & Intellectual Property Section (CCIPS) and the National Security Division, most DOJ attorneys know very little about technology. As such, it may simply be that Doherty-McCormick, through her experience in prosecuting pedophiles caught in online stings, may be the most tech savvy prosecutor in her office, and thus could have been brought in to help with the investigation on that basis alone.

However, the technical knowledge involved in tricking a pedophile into meeting what he believes is a 13 year old girl isn't quite the same as is required by someone investigating a sophisticated organization run by skilled computer security researchers. Presumably, Doherty-McCormick is in regular communication with tech-savvy attorneys from CCIPS, who are likely assisting in this matter.

2. Three of the individuals named in the order, Jacob Appelbaum, Rop Gonggrijp, and Julian Assange are computer security experts - Appelbaum has worked with the Tor project, and has co-authored some pretty awesomeencryption research, Assange co-authored a deniable encrypted filesystem, and Rop has worked for several years to create mobile phone encryption software. All three likely use strong encryption to store and transmit sensitive communications and use Tor to mask their IP addresses. As such, I'm not really sure what DOJ hopes to gain by asking Twitter for this data -- as it is doubtful that these individuals have entrusted Twitter with anything private.

3. Why the "d" order? For a case this high profile, it is quite shocking that the government is using a "d" order to try and gather information. At least for Assange and Manning, surely there is sufficient evidence already to demonstrate probable cause, and get a rule 41 warrant, which could be used to get full communications content and prospective location information? What is even more surprising though, is that criminal statutes are being used, and not foreign intelligence laws. To be perfectly frank, I would have bet money that DOJ had already obtained a FISA order to monitor Assange and any of his associates. I really don't know what to make of this.

4. Twitter. The bigger story here, IMHO, far more interesting than the government request for wikileaks related info, is the fact that Twitter has gone out of its way to fight for its users' privacy. The company went to court, and was successful in asking the judge to unseal the order (something it is not required to do), and then promptly notified its users, so that they could seek to quash the order. Twitter could have quite easily complied with the order, and would have had zero legal liability for doing so. In fact, many other Internet companies routinely hand over their users' data in response to government requests, and never take steps to either have the orders unsealed, or give their users notice and thus an opportunity to fight the order.

Alex Macgillivray, Twitter's general counsel is clearly behind this strong, pro-privacy move. Macgillivray was one of the first law students at Harvard's Berkman Center. Until he moved to Twitter, he worked on copyright and privacy issues at Google, where, he played a major role in getting the company to contribute takedown requests to chillingeffects.org. Not surprisingly, Twitter recently started sending copies of takedowns to chillingeffects too.

It is wonderful to see companies taking a strong stance, and fighting for their users' privacy. I am sure that this will pay long term PR dividends to Twitter, and is a refreshing change, compared to the actions by some other major telecommunications and internet application providers, who often bend over backwards to help law enforcement agencies. Simply put, the contrast between Amazon, Paypal (owned by eBay) and Twitter couldn't be clearer.

As one further example of this difference, consider Twitter's actions here in contrast with comments from eBay's director of compliance a few years back:

We [eBay] try to make rules to make it difficult for people to commit fraud and easy for you [law enforcement agencies] to investigate. One is our Privacy policy. I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information. [emphasis added]

We do not require a subpoena except for very limited circumstances. We require a subpoena when we need the financial information from the site, credit card info or sometimes IP information.

5. Did the government seek the contents of private messages? As I wrote above, it's not clear if the government sought the content of private messages. Had they sought such information, I would have expected them to be clearer in describing that information. However, based on Twitter's actions in getting the court to unseal the 2703(d) order, had the government sought communications content, I would fully expect to see the company to fight that order, on 4th amendment grounds.

My guess is that the government opted to not ask for such information, purely as a strategic matter, as it probably feared that Twitter would lawyer up, refuse to disclose any communications content, and seek to have that part of 18 USC 2703 ruled unconstitutional. Over the past year or so, several courts have taken a dim view of the government's practice of obtaining various forms of private data without probable cause warrants. A 2703(d) request for content from Twitter would be an ideal opportunity for courts to examine this issue, and would likely have been very risky for the government.

What comes next

This case is extremely high profile -- it involves data privacy; Twitter, arguably the hottest communications service a hot communications tool; wikileaks; and a member of the Icelandic parliament. I fully expect this to go to court, and for absolutely everyone to try and get involved in this case -- privacy groups, communications providers, and perhaps even the Icelandic government will all likely file amicus briefs.

As a privacy advocate and researcher, I can't wait to see this situation develop.

24 comments:

Could the DOJ target private messages on Twitter? If any whistleblower contacted Wikileaks members through Twitter it would be highly relevant for the case. I guess Facebook and Google got similar orders.

It seems a little doubtful that anyone should take anything you're saying serious. You entirely defined subpoena's incorrectly, so badly that it makes it doubtful that you're qualified to speak on any aspect of law (really? you think an administrative subpoena encompasses the entire definition for the term? ..really?)

Then, you referred to Jake as an expert at something that didn't involve getting his name associated with someone elses work.

It just makes it very hard to take anything you've said further serious.

I have a question: according to various tweets circulating at the moment the order actually means that the DOJ will be able to access many other Wikileaks followers on Twitter, because of Section 2 in Part B of the order, which refers to being able to collect information "such as" the IP and e-mail addresses of "sources and destinations" of tweets sent to and from the five ( six? ) accounts listed.

I have a question: according to various tweets circulating at the moment the order actually means that the DOJ will be able to access many/all other Wikileaks followers on Twitter, because of Section 2 in Part B of the order, which refers to being able to collect information "such as" the IP and e-mail addresses of "sources and destinations" of tweets sent to and from the five ( six? ) accounts listed.

The fact that the 18 USC 2703(d) legal powers were increased and amended by the anti-terrorism PATRIOT Act, means that the use of such powers in this case, which clearly does not involve any terrorist plot at all, will be portrayed as a "terrorism slur" .

Back in 2008, the people of Iceland were rightly furious with the then UK Prime Minister Gordon Brown when his Labour government, which stupidly used anti-terrorism legislation to freeze the financial assets of Icelandic banks, despite having plenty of other financial regulatory powers to do so.

This was seen as treating Iceland in exactly the same way as pariah states like Libya, Iran, North Korea etc.

This led to the "Icelanders are NOT Terrorists" petition, which was signed by over 10 % of the entire population of the country.

More seriously it also led to the cancellation of NATO air defence exercises and to the threat to allow Russian military aircraft to use the strategic keflavik airbase.

As a Follower of the wikileaks Twitter account (as a constructive critic of the wikileaks project), I also object to any chance of "guilt by association" through secret Communications Data traffic analysis and data sharing.

Note that unlike other countries, e.g. Switzerland, this 18 USC 2703(d) does not specify that any data which is handed over to the US authorities is to be protected in transit or in storage through the use of strong encryption. Given the US Government's record of data insecurity, there is every chance that unprotected copies of this Communication Data will be lost or stolen.

Interesting post, but I agree with jf that your definition of subpoena is not correct. Subpeonas are most often issued by courts to compel the testimony of witnesses, they are *not* an administrative letter unsigned by a judge.

I also got a lot out of this piece, but I do wonder, though more politely about the definition of subpoena. Not a lawyer either, but that definition doesn't sound right. It seems to me you're conflating the fact that a subpoena can originate with an agency, with the subpoena itself. Don't all subpoena's have to be signed off by a judge? Otherwise, you'd have any agency regularly requesting personal items extra-judicially...

>1. Amateur Hour. The 2703(d) order ... requested credit card and bank account numbers of several Twitter users, even though Twitter is a free service and so doesn't have such information ...

The reason for this seems to be that they used a template for requesting data from ISPs. The template is available here: http://www.justice.gov/criminal/cybercrime/ssmanual/06ssma.html (the last portion of appendix B).

Whether they used this template because of incompetence, because they've been firing out tons of the things, or because they felt the template used was applicable enough to twitter is of course unknown.

I haven't seen any news organizations mention this, but it does explain the strange requests and ambiguous language.

The DOJ is not, and will not ask Twitter for our personal info.U.S military documents were stolen from the U.S. And, Wikileaks received this stolen property, which is illegal, of course. And by publishing this information it has put the lives of the military personnel of the U.S. and its allies in jeopardy.The Iceland lawmaker Briggit J has totally misrepresented what the U.S. is doing. Contrary to what she is saying the U.S. has no intention of curbing free speech of the people or the news media. For some reason she has been claiming this as fact. Probably because she is afraid she may get arrested for working with Wikileaks. How did she get to be a lawmaker in Iceland?

1. Wikipedia says court can issue subpoenas. The second sign on the subpoena.pdf was that of a clerk. Could it have been issued by a clerk? Would the judges sign still be present if it had been issued by a clerk? Is it normal for the same judge to both issue the sealed document and to unseal it?

2. 2703(d) is basically the criteria for the warrant and the disclosed info are actually 2703(b) and 2703(c). But 2703(b,c) aren't mentioned explicitly in the warrant.But the USC is explicit about this. So does that mean that 2703(d) can be used only with 2703(b,c) if nothing else is mentioned in the warrant or does that mean that separate orders would have been issued for 2703(b,c)? If the govt. requests info under a related section (2704,2705) that reference 2703(b), will it have to get a different court order or just the one under 2703(d) will suffice for interlinked sections? Reason for this question is, I want to know whether it is a possibility that Twitter has been served with other warrants under related sections?

3. What is the calculation behind the ten day period? Other sections have 'no sooner than 14 days...' clauses, but 2703(d) doesn't seem to have a time limit?

-----------------------------------Thanks for posting the USC links. Very helpful. If you have links to Federal Rules of Criminal Procedure and State warrant procedures, could you post them too? Thanks :o)

I have these 2 links but I can't figure out under which section is the warrant procedure that would have been followed in this case. Help please :?http://www.law.cornell.edu/rules/frcrmp/http://law.onecle.com/virginia/

I want to figure this out because - if its the BradMan case, then would the State Court have issued it? Wouldn't it have been under Federal warrant procedures?

If it is not the BradMan case but rather the WikiLeak case, then shouldn't the commission of the crime be established before investigating the associated people's private conversations in such a high profile case with huge repercussions? Especially as the commission of the crime itself is in doubt?

@James:Yes, those credit card details,etc... are because they are described as such in the 'what can be requested for disclosure' section, 2703 c)2.-----------------------------------

The link you provided is great :o)

Accd. to that 'specific and articulable grounds' preclude "fishing expeditions" by law enforcement.

This is very interesting.

If its not the BradMan case, but the WL case, then this would be wrong and the warrant can't be valid.

If its the BradMan case, the video credit is enough of a link, I guess, but then why was it issued under State authority? Wouldn't BradMan case be investigated under broader laws? Is it normal for federal investigation to get a State warrant? Is the warrant a public record?

We Humans have learned very little from the past. Giving LE (Law Enforcement) carte-blanche access, to a tool like this is asking for trouble (As history has shown). How many abusive parents, & spouses are police officers. A Spouse leaves an abusive relationship, I pray they remember to dump their cell phones. Children leaving abusive parents.. Same goes for them. There are tons of situations where we wouldn't want a LE officer to have this kind of access to track down anyone they see as PROPERTY, or a threat.. Most of these abusive people are also paranoid, & or delusional. You might be asking yourself, "How does this critic know this is going on?"

BECAUSE I LIVED IT WITH MY EX! Now it all makes sense to me how he found me every time I ran. Until today, I was a Sprint/Nextel customer/subscriber.

THEY SHOULD BE ASHAMED OF THEMSELVES! AND not only Sprint/Nextel, but also the paranoid nuts who think this is okay, & keep their mouths shut. We here in America have made a huge mistake (Not me mind you) by letting our Government take our freedoms little by little, all in the name of security. The terrorist have been put in charge of Washington. AND I don't mean the taliban. This is scary crap

Hey Mr Anonymous: "The DOJ is not, and will not ask Twitter for our personal info.U.S military documents were stolen from the U.S. And, Wikileaks received this stolen property, which is illegal, of course. And by publishing this information it has put the lives of the military personnel of the U.S. and its allies in jeopardy.

Hey Mr Anonymous... I keep hearing from media sources, & I see you like repeating the statement, "And by publishing this information it has put the lives of the military personnel of the U.S. and its allies in jeopardy." Unfortunately for you who believe everything that comes from the media, there's not one shred of evidence presented that any "lives have been put in jeopardy"! And all of us with the ability to use our common sense knows d@mn well if someone had been harmed by Wikileaks postings, they'd be parading said evidence all over the globe.

ITS CRAP.. people who repeat it are CRAP. thus I challenge you Mr Anonymous.. Back up your statement.

Sorry for hogging your comment section, but just noticed this.>>My initial impression is that this is not a request for communications content, but communications between the user and twitter itself<<--------------------------------------The disclosure requests in Attachment A of the subpoena is fully of 2703(c) [i.e., Records of remote communication info excluding communication content]

2703(b) [i.e., remote communication content] has not been requested. So tweet message content has not been requested.

Yes, so the request is for 'when, how, where' info rather than 'what' info.

The investigative agency does seem to know already that there hasn't been any private messages between them :P

Very good post! Thanks for this analysis, even if there might be a couple of uncertainties regarding the term of subpoena.

I think your blog entry must be read together with Glenn Greenwalds opinion of today on salon.com called "Government-created climate of fear" to get the full picture: http://www.salon.com/news/opinion/glenn_greenwald/ That whole action seems to be part of an official intimidation campaign rather than a sound legal act.

I travelled to the US twice in the late 80ies and loved it. Today, I am shocked and disturbed by the way that wonderful country has - or seems to have - evolved... How can this be, and why?

"Anonymous said... The DOJ is not, and will not ask Twitter for our personal info. ... U.S. has no intention of curbing free speech of the people or the news media. "

Will you please grow up, anonymous? You are speaking for an entity of which you a very ignorant. You obviously have a blind, idealistic ideal of an idea that once existed, but has faded away with the development of the Military-Industrial complex. We could fill many pages of many books with examples of this, but in the interest of simplification, i will provide only one:http://www.wired.com/threatlevel/2010/08/nsl-gag-order-lifted/

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.